queue-5.15/netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch

   1 From 101ef824ad7d8e47dc230a6a53011149aa85753d Mon Sep 17 00:00:00 2001
   2 From: Sasha Levin <sashal@kernel.org>
   3 Date: Mon, 8 Apr 2024 23:19:29 +0200
   4 Subject: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort
   5  path
   6
   7 From: Pablo Neira Ayuso <pablo@netfilter.org>
   8
   9 commit 0d459e2ffb541841714839e8228b845458ed3b27 upstream.
  10
  11 The commit mutex should not be released during the critical section
  12 between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
  13 worker could collect expired objects and get the released commit lock
  14 within the same GC sequence.
  15
  16 nf_tables_module_autoload() temporarily releases the mutex to load
  17 module dependencies, then it goes back to replay the transaction again.
  18 Move it at the end of the abort phase after nft_gc_seq_end() is called.
  19
  20 Cc: stable@vger.kernel.org
  21 Fixes: 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path")
  22 Reported-by: Kuan-Ting Chen <hexrabbit@devco.re>
  23 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  24 Signed-off-by: Sasha Levin <sashal@kernel.org>
  25 ---
  26  net/netfilter/nf_tables_api.c | 13 ++++++++-----
  27  1 file changed, 8 insertions(+), 5 deletions(-)
  28
  29 diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
  30 index 9801bac049e28..ca061fc0b1def 100644
  31 --- a/net/netfilter/nf_tables_api.c
  32 +++ b/net/netfilter/nf_tables_api.c
  33 @@ -9880,11 +9880,6 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
  34                 nf_tables_abort_release(trans);
  35         }
  36
  37 -       if (action == NFNL_ABORT_AUTOLOAD)
  38 -               nf_tables_module_autoload(net);
  39 -       else
  40 -               nf_tables_module_autoload_cleanup(net);
  41 -
  42         return err;
  43  }
  44
  45 @@ -9901,6 +9896,14 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb,
  46
  47         WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
  48
  49 +       /* module autoload needs to happen after GC sequence update because it
  50 +        * temporarily releases and grabs mutex again.
  51 +        */
  52 +       if (action == NFNL_ABORT_AUTOLOAD)
  53 +               nf_tables_module_autoload(net);
  54 +       else
  55 +               nf_tables_module_autoload_cleanup(net);
  56 +
  57         mutex_unlock(&nft_net->commit_mutex);
  58
  59         return ret;
  60 --
  61 2.43.0
  62